diff --git a/.woodpecker.yml b/.woodpecker.yml
index 7598ea7..d5dda1b 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -30,11 +30,9 @@ steps:
   lockfile-check:
     name: lockfile-check
     image: node:22-alpine
-    depends_on: [ "test" ]
     commands:
       - echo "nameserver 1.1.1.1" > /etc/resolv.conf
       - echo "nameserver 1.0.0.1" >> /etc/resolv.conf
-      - chmod +x scripts/refresh-lockfile.sh
       - sh scripts/refresh-lockfile.sh --check
     when:
       branch: main
diff --git a/scripts/refresh-lockfile.sh b/scripts/refresh-lockfile.sh
index ab661b5..5a48854 100755
--- a/scripts/refresh-lockfile.sh
+++ b/scripts/refresh-lockfile.sh
@@ -34,19 +34,22 @@ if [ -f package-lock.json ]; then
     OLD_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
 fi
 
-# Clean and regenerate
-rm -rf node_modules package-lock.json
-
 if [ "$CHECK_MODE" = true ]; then
-    # CI mode: just generate lock file quickly
-    npm install --package-lock-only
+    # CI mode: generate fresh lock file in temp dir, compare hashes
+    TMPDIR=$(mktemp -d)
+    cp package.json "$TMPDIR/"
+    cd "$TMPDIR"
+    npm install --package-lock-only --ignore-scripts 2>/dev/null
+    NEW_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
+    cd - >/dev/null
+    rm -rf "$TMPDIR"
 else
-    # Local mode: full install
+    # Local mode: clean and regenerate with full install
+    rm -rf node_modules package-lock.json
     npm install
+    NEW_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
 fi
 
-NEW_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
-
 if [ "$OLD_HASH" = "$NEW_HASH" ]; then
     echo "✅ package-lock.json is up to date"
     exit 0